ID-based Cryptography from Composite Degree Residuosity

We present identity-based identification (resp. encryption, signature, blind signature,ring signature) from composite degree residuosity (CDR). Constructions of identifications and signatures motivated by several existing CDR-based bandwidth-efficient encryption schemes are presented. Their securities are proven equivalent to famous hard problems, in the random oracle model. Motivated by Cocks,we construct an identity-based encryption from CDR. Its security is proven equivalent to a new problem, the JSR (Jacobi Symbol of Roots of two quadratic polynomials) Problem. We prove JSR is at least as hard as QRP (Quadratic Residuosity Problem). Furthermore, we present the first two-way equivalence reduction of the security of Cocks\u27 IBE, to the JSR Problem

A fair payment system with online anonymous transfer

Thesis (M. Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, February 2007.Includes bibliographical references (p. 26-27).Physical cash can be anonymously transfered. Transferability is a desirable property because it allows for flexible, private commerce where neither the seller nor the buyer must identify themselves to the bank. In some cases, however, anonymity can be abused and lead to problems such as blackmail and money laundering. In 1996, Camenisch, Piveteau, and Stadler introduced the concept of fairness for (non-transferable) ECash, where a trusted authority can revoke the anonymity of certain transactions as needed. To our knowledge, no current ECash system supports both anonymous transfer and fairness. We have designed and implemented such a system. Also, we formally describe a set of desirable properties for ECash systems and prove that our system meets all of these properties under the Strong RSA assumption and the Decisional Diffie-Hellman assumption in the random oracle model. Furthermore, we provide extensions for our system that could allow it to deal with offline payments and micropayments. Our system has been implemented in java. Tests have shown that it performs and scales well, as expected.by Bin D. Vo.M.Eng

Spontaneous anonymous group cryptography and its applications.

Fung Kar-Yin.Thesis (M.Phil.)--Chinese University of Hong Kong, 2004.Includes bibliographical references (leaves 72-81).Abstracts in English and Chinese.Abstract --- p.iAcknowledgement --- p.iiiChapter 1 --- Introduction --- p.1Chapter 1.1 --- Development of Cryptography --- p.1Chapter 1.2 --- Group Cryptography --- p.3Chapter 1.3 --- Spontaneous Anonymous Group Signature --- p.4Chapter 1.4 --- Blind Signature --- p.5Chapter 1.5 --- Blind SAG Signature --- p.6Chapter 1.6 --- Organization of This Thesis --- p.6Chapter 2 --- Background Study --- p.7Chapter 2.1 --- Six Primitives in Cryptography --- p.7Chapter 2.1.1 --- Symmetric Encryption --- p.8Chapter 2.1.2 --- Asymmetric Encryption --- p.8Chapter 2.1.3 --- Digital Signature --- p.9Chapter 2.1.4 --- Hash Function --- p.9Chapter 2.1.5 --- Digital Certificate --- p.10Chapter 2.1.6 --- Proof of Knowledge --- p.10Chapter 2.2 --- Euler Totient Function --- p.11Chapter 2.3 --- One-Way Function --- p.12Chapter 2.3.1 --- One-Way Trapdoor Function --- p.13Chapter 2.3.2 --- Discrete Logarithm Problem --- p.13Chapter 2.3.3 --- RSA Problem --- p.14Chapter 2.3.4 --- Integer Factorization Problem --- p.15Chapter 2.3.5 --- Quadratic Residuosity Problem --- p.15Chapter 2.3.6 --- Schnorr's ROS assumption --- p.16Chapter 2.4 --- Bilinear Pairing --- p.16Chapter 2.4.1 --- Weil Pairing --- p.18Chapter 2.4.2 --- Tate Pairing --- p.18Chapter 2.5 --- Gap Diffie-Hellman Group --- p.19Chapter 2.5.1 --- GDH --- p.19Chapter 2.5.2 --- Co-GDH --- p.20Chapter 2.6 --- Random Oracle Model --- p.21Chapter 2.6.1 --- Random Permutation --- p.23Chapter 2.6.2 --- Lunchtime Attack --- p.23Chapter 2.6.3 --- Back Patch --- p.23Chapter 2.6.4 --- Rewind Simulation --- p.24Chapter 2.7 --- Generic Group Model --- p.24Chapter 3 --- Digital and Threshold Signatures --- p.26Chapter 3.1 --- Introduction --- p.26Chapter 3.2 --- Notion of Attacks and Security in Signature --- p.28Chapter 3.2.1 --- Types of Signatures --- p.29Chapter 3.3 --- Threshold Signature --- p.31Chapter 3.4 --- Properties in Threshold Signatures --- p.31Chapter 4 --- Blind Signature --- p.33Chapter 4.1 --- Introduction --- p.33Chapter 4.1.1 --- Security Requirements --- p.35Chapter 4.2 --- Transferred Proof of Knowledge --- p.36Chapter 4.3 --- RSA Based Schemes --- p.37Chapter 4.3.1 --- Chaum's RSA Scheme --- p.37Chapter 4.3.2 --- Abe's RSA Scheme --- p.38Chapter 4.4 --- Discrete Logarithm Based Schemes --- p.39Chapter 4.4.1 --- Schnorr Blind Signature --- p.39Chapter 4.4.2 --- Okamoto-Schnorr Blind Signature --- p.40Chapter 4.5 --- Bilinear Mapping Based Schemes --- p.40Chapter 5 --- Spontaneous Anonymous Group Signature --- p.42Chapter 5.1 --- Introduction --- p.42Chapter 5.2 --- Cramer-Damgard-Schoemaker (CDS) SAG Signature --- p.44Chapter 5.2.1 --- (1´ةn)-CDS type SAG Signature --- p.44Chapter 5.2.2 --- "(t, n)-CDS type SAG Signature" --- p.45Chapter 5.3 --- Ring-type SAG Signature Schemes --- p.46Chapter 5.3.1 --- Rivest-Shamir-Tauman --- p.46Chapter 5.3.2 --- Abe's 1-out-of-n Ring Signature --- p.49Chapter 5.4 --- Discussions --- p.51Chapter 6 --- Blind SAG Signature --- p.53Chapter 6.1 --- Introduction --- p.53Chapter 6.2 --- Security Definitions --- p.54Chapter 6.2.1 --- Security Model --- p.55Chapter 6.3 --- "(1,n)-Ring Structured Blind SAG Signature" --- p.57Chapter 6.3.1 --- Signing Protocol --- p.58Chapter 6.3.2 --- Verification Algorithm --- p.58Chapter 6.4 --- CDS-type Blind SAG Signature --- p.59Chapter 6.4.1 --- "(l,n)-CDS-type" --- p.59Chapter 6.5 --- "(t,n)-CDS-type" --- p.60Chapter 6.5.1 --- Signing Protocol --- p.61Chapter 6.5.2 --- Verification Algorithm --- p.61Chapter 6.6 --- Security Analysis --- p.62Chapter 6.7 --- Applications to Credential System --- p.67Chapter 7 --- Conclusion --- p.69A --- p.71Bibliography --- p.8

Privacy-Preserving Protocols for Vehicular Transport Systems

La present tesi es centra en la privadesa dels ciutadans com a usuaris de mitjans de transport vehiculars dins del marc d'una e-society. En concret, les contribucions de la tesi es focalitzen en les subcategories d'estacionament de vehicles privats en zones públiques regulades i en la realització de transbordaments entre línies intercomunicades en l'àmbit del transport públic. Una anàlisi acurada de les dades recopilades pels proveedors d'aquests serveis, sobre un determinat usuari, pot proporcionar informació personal sensible com per exemple: horari laboral, professió, hobbies, problemes de salut, tendències polítiques, inclinacions sexuals, etc. Tot i que existeixin lleis, com l'europea GDPR, que obliguin a utilitzar les dades recollides de forma correcta per part dels proveedors de serveis, ja sigui a causa d'un atac informàtic o per una filtració interna, aquestes dades poden ser utilitzades per finalitats il·legals. Per tant, el disseny protocols que garanteixin la privadesa dels ciutadans que formen part d'una e-society esdevé una tasca de gran importància.La presente tesis se centra en la privacidad de los ciudadanos en el transporte vehicular dentro del marco de una e-society. En concreto, las contribuciones de la tesis se centran en las subcategorías de estacionamiento de vehículos privados en zonas públicas reguladas y en la realización de transbordos entre líneas interconectadas en el ámbito del transporte público. Una análisi acurada de los datos recopilados por los proveedores de los servicios, sobre un determinado usuario, puede proporcionar información personal sensible como por ejemplo: horario laboral, profesión, hobbies, problemas de salud, tendencias políticas, inclinaciones sexuales, etc. A pesar que hay leyes, como la europea GDPR, que obligan a usar de forma correcta los datos recopilados por parte de los proveedores de servicios, ya sea por un ataque informático o por una filtración interna, estos datos pueden utilizarse para fines ilegales. Por lo tanto, es vital diseñar protocolos que garanticen la privacidad de los ciudadanos que forman parte de una e-society.This thesis is focused on the privacy of citizens while using vehicular transport systems within an e-society frame. Specifically, the thesis contributes to two subcategories. The first one refers to pay-by-phone systems for parking vehicles in regulated public areas. The second one is about the use of e-tickets in public transport systems allowing transfers between connecting lines. A careful analysis of data collected by service providers can provide sensitive personal information such as: work schedule, profession, hobbies, health problems, political tendencies, sexual inclinations, etc. Although the law, like the European GDPR, requires the correct use of the data collected by service providers, data can be used for illegal purposes after being stolen as a result of a cyber-attack or after being leaked by an internal dishonest employee. Therefore, the design of privacy-preserving solutions for mobility-based services is mandatory in the e-society

Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem

The Boneh-Boyen signature scheme is a short signature scheme which is provably secure in the standard model under the q-Strong Diffie-Hellman (SDH) assumption. The primary objective of this thesis is to examine the relationship between the Boneh-Boyen signature scheme and SDH. The secondary objective is to survey surrounding topics such as the generic group model, related signature schemes, intractability assumptions, and the relationship to identity-based encryption (IBE) schemes. Along these lines, we analyze the plausibility of the SDH assumption using the generic bilinear group model. We present the security proofs for the Boneh-Boyen signature scheme, with the addition of a small improvement in one of the probability bounds. Our main contribution is to give the reduction in the reverse direction; that is, to show that if the SDH problem can be solved then the Boneh-Boyen signature scheme can be forged. This contribution represents the first known proof of equivalence between the SDH problem and Boneh-Boyen signatures. We also discuss the algorithm of Cheon for solving the SDH problem. We analyze the implications of Cheon's algorithm for the security of the Boneh-Boyen signature scheme, accompanied by a brief discussion on how to counter the attack

Secure fingerprinting on sound foundations

The rapid development and the advancement of digital technologies open a variety of opportunities to consumers and content providers for using and trading digital goods. In this context, particularly the Internet has gained a major ground as a worldwiede platform for exchanging and distributing digital goods. Beside all its possibilities and advantages digital technology can be misuesd to breach copyright regulations: unauthorized use and illegal distribution of intellectual property cause authors and content providers considerable loss. Protections of intellectual property has therefore become one of the major challenges of our information society. Fingerprinting is a key technology in copyright protection of intellectual property. Its goal is to deter people from copyright violation by allowing to provably identify the source of illegally copied and redistributed content. As one of its focuses, this thesis considers the design and construction of various fingerprinting schemes and presents the first explicit, secure and reasonably efficient construction for a fingerprinting scheme which fulfills advanced security requirements such as collusion-tolerance, asymmetry, anonymity and direct non-repudiation. Crucial for the security of such s is a careful study of the underlying cryptographic assumptions. In case of the fingerprinting scheme presented here, these are mainly assumptions related to discrete logarithms. The study and analysis of these assumptions is a further focus of this thesis. Based on the first thorough classification of assumptions related to discrete logarithms, this thesis gives novel insights into the relations between these assumptions. In particular, depending on the underlying probability space we present new reuslts on the reducibility between some of these assumptions as well as on their reduction efficency.Die Fortschritte im Bereich der Digitaltechnologien bieten Konsumenten, Urhebern und Anbietern große Potentiale für innovative Geschäftsmodelle zum Handel mit digitalen Gütern und zu deren Nutzung. Das Internet stellt hierbei eine interessante Möglichkeit zum Austausch und zur Verbreitung digitaler Güter dar. Neben vielen Vorteilen kann die Digitaltechnik jedoch auch missbräuchlich eingesetzt werden, wie beispielsweise zur Verletzung von Urheberrechten durch illegale Nutzung und Verbreitung von Inhalten, wodurch involvierten Parteien erhebliche Schäden entstehen können. Der Schutz des geistigen Eigentums hat sich deshalb zu einer der besonderen Herausforderungen unseres Digitalzeitalters entwickelt. Fingerprinting ist eine Schlüsseltechnologie zum Urheberschutz. Sie hat das Ziel, vor illegaler Vervielfältigung und Verteilung digitaler Werke abzuschrecken, indem sie die Identifikation eines Betrügers und das Nachweisen seines Fehlverhaltens ermöglicht. Diese Dissertation liefert als eines ihrer Ergebnisse die erste explizite, sichere und effiziente Konstruktion, welche die Berücksichtigung besonders fortgeschrittener Sicherheitseigenschaften wie Kollusionstoleranz, Asymmetrie, Anonymität und direkte Unabstreitbarkeit erlaubt. Entscheidend für die Sicherheit kryptographischer Systeme ist die präzise Analyse der ihnen zugrunde liegenden kryptographischen Annahmen. Den im Rahmen dieser Dissertation konstruierten Fingerprintingsystemen liegen hauptsächlich kryptographische Annahmen zugrunde, welche auf diskreten Logarithmen basieren. Die Untersuchung dieser Annahmen stellt einen weiteren Schwerpunkt dieser Dissertation dar. Basierend auf einer hier erstmals in der Literatur vorgenommenen Klassifikation dieser Annahmen werden neue und weitreichende Kenntnisse über deren Zusammenhänge gewonnen. Insbesondere werden, in Abhängigkeit von dem zugrunde liegenden Wahrscheinlichkeitsraum, neue Resultate hinsichtlich der Reduzierbarkeit dieser Annahmen und ihrer Reduktionseffizienz erzielt

Toward a Post-Quantum Zero-Knowledge Verifiable Credential System for Self-Sovereign Identity

The advent of quantum computers brought a large interest in post-quantum cryptography and in the migration to quantum-resistant systems. Protocols for Self-Sovereign Identity (SSI) are among the fundamental scenarios touched by this need. The core concept of SSI is to move the control of digital identity from third-party identity providers directly to individuals. This is achieved through Verificable Credentials (VCs) supporting anonymity and selective disclosure. In turn, the implementation of VCs requires cryptographic signature schemes compatible with a proper Zero-Knowledge Proof (ZKP) framework. We describe the two main ZKP VCs schemes based on classical cryptographic assumptions, that is, the signature scheme with efficient protocols of Camenisch and Lysyanskaya, which is based on the strong RSA assumption, and the BBS+ scheme of Boneh, Boyen and Shacham, which is based on the strong Diffie-Hellman assumption. Since these schemes are not quantum-resistant, we select as one of the possible post-quantum alternatives a lattice-based scheme proposed by Jeudy, Roux-Langlois, and Sander, and we try to identify the open problems for achieving VCs suitable for selective disclosure, non-interactive renewal mechanisms, and efficient revocation

Biometric Cryptosystems : Authentication, Encryption and Signature for Biometric Identities

Biometrics have been used for secure identification and authentication for more than two decades since biometric data is unique, non-transferable, unforgettable, and always with us. Recently, biometrics has pervaded other aspects of security applications that can be listed under the topic of ``Biometric Cryptosystems''. Although the security of some of these systems is questionable when they are utilized alone, integration with other technologies such as digital signatures or Identity Based Encryption (IBE) schemes results in cryptographically secure applications of biometrics. It is exactly this field of biometric cryptosystems that we focused in this thesis. In particular, our goal is to design cryptographic protocols for biometrics in the framework of a realistic security model with a security reduction. Our protocols are designed for biometric based encryption, signature and remote authentication. We first analyze the recently introduced biometric remote authentication schemes designed according to the security model of Bringer et al.. In this model, we show that one can improve the database storage cost significantly by designing a new architecture, which is a two-factor authentication protocol. This construction is also secure against the new attacks we present, which disprove the claimed security of remote authentication schemes, in particular the ones requiring a secure sketch. Thus, we introduce a new notion called ``Weak-identity Privacy'' and propose a new construction by combining cancelable biometrics and distributed remote authentication in order to obtain a highly secure biometric authentication system. We continue our research on biometric remote authentication by analyzing the security issues of multi-factor biometric authentication (MFBA). We formally describe the security model for MFBA that captures simultaneous attacks against these systems and define the notion of user privacy, where the goal of the adversary is to impersonate a client to the server. We design a new protocol by combining bipartite biotokens, homomorphic encryption and zero-knowledge proofs and provide a security reduction to achieve user privacy. The main difference of this MFBA protocol is that the server-side computations are performed in the encrypted domain but without requiring a decryption key for the authentication decision of the server. Thus, leakage of the secret key of any system component does not affect the security of the scheme as opposed to the current biometric systems involving cryptographic techniques. We also show that there is a tradeoff between the security level the scheme achieves and the requirement for making the authentication decision without using any secret key. In the second part of the thesis, we delve into biometric-based signature and encryption schemes. We start by designing a new biometric IBS system that is based on the currently most efficient pairing based signature scheme in the literature. We prove the security of our new scheme in the framework of a stronger model compared to existing adversarial models for fuzzy IBS, which basically simulates the leakage of partial secret key components of the challenge identity. In accordance with the novel features of this scheme, we describe a new biometric IBE system called as BIO-IBE. BIO-IBE differs from the current fuzzy systems with its key generation method that not only allows for a larger set of encryption systems to function for biometric identities, but also provides a better accuracy/identification of the users in the system. In this context, BIO-IBE is the first scheme that allows for the use of multi-modal biometrics to avoid collision attacks. Finally, BIO-IBE outperforms the current schemes and for small-universe of attributes, it is secure in the standard model with a better efficiency compared to its counterpart. Another contribution of this thesis is the design of biometric IBE systems without using pairings. In fact, current fuzzy IBE schemes are secure under (stronger) bilinear assumptions and the decryption of each message requires pairing computations almost equal to the number of attributes defining the user. Thus, fuzzy IBE makes error-tolerant encryption possible at the expense of efficiency and security. Hence, we design a completely new construction for biometric IBE based on error-correcting codes, generic conversion schemes and weakly secure anonymous IBE schemes that encrypt a message bit by bit. The resulting scheme is anonymous, highly secure and more efficient compared to pairing-based biometric IBE, especially for the decryption phase. The security of our generic construction is reduced to the security of the anonymous IBE scheme, which is based on the Quadratic Residuosity assumption. The binding of biometric features to the user's identity is achieved similar to BIO-IBE, thus, preserving the advantages of its key generation procedure

MuSig-DN: Schnorr Multi-Signatures with Verifiably Deterministic Nonces

MuSig is a multi-signature scheme for Schnorr signatures, which supports key aggregation and is secure in the plain public key model. Standard derandomization techniques for discrete logarithm-based signatures such as RFC 6979, which make the signing procedure immune to catastrophic failures in the randomness generation, are not applicable to multi-signatures as an attacker could trick an honest user into producing two different partial signatures with the same randomness, which would reveal the user\u27s secret key. In this paper, we propose a variant of MuSig in which signers generate their nonce deterministically as a pseudorandom function of the message and all signers\u27 public keys and prove that they did so by providing a non-interactive zero-knowledge proof to their cosigners. The resulting scheme, which we call MuSig-DN, is the first Schnorr multi-signature scheme with deterministic signing. Therefore its signing protocol is robust against failures in the randomness generation as well as attacks trying to exploit the statefulness of the signing procedure, e.g., virtual machine rewinding attacks. As an additional benefit, a signing session in MuSig-DN requires only two rounds instead of three as required by all previous Schnorr multi-signatures including MuSig. To instantiate our construction, we identify a suitable algebraic pseudorandom function and provide an efficient implementation of this function as an arithmetic circuit. This makes it possible to realize MuSig-DN efficiently using zero-knowledge proof frameworks for arithmetic circuits which support inputs given in Pedersen commitments, e.g., Bulletproofs. We demonstrate the practicality of our technique by implementing it for the secp256k1 elliptic curve used in Bitcoin